NetSafe boss warns stolen Yahoo Xtra data could be used for future attacks

Telecom GM tries to draw line under affair, saying "final batch" of 60,000 affected customers passwords are being cancelled | Expert says passwords should have been cancelled a week ago | Helplines overwhelmed as thousands of shut-out customers attempt to reset their passwords.

UPDATE / Feb 18: First thing Monday morning, Telecom was around 50% of the way through the process of cancelling an additional 60,000 Yahoo Xtra passwords (on top of 15,000 already cancelled).

"We've been told by Yahoo this is the final batch of accounts. We can safely say that's the end of this particular issue," Telecom's general manager of customer service Trish Keith told TVNZ's Breakfast this morning.

But while Telecom has summarily cancelled thousands of passwords, thousands who have been shutout are facing a 90 minute-plus wait on the phone to reset their Yahoo Xtra details. The company says around 10% have hit the phone rather than change select a new password online. People are being told to head online first, but the website has been at times overloaded.(The cancelation process invovles a temporary password being issued, which customers are asked to update via phone or online).

Telecom has steadily upped its estimate of customers affected by the Yahoo mail server security breach, and the separate phishing attack.

Can a line be drawn under the affair, as Ms Keith hopes?

The direct mail server security breach meant phishing emails were sent to the contacts of some people who were not actively using their Xtra account, let alone clicking on a dodgy link.
Institute of IT Professionals NZ CEO told NBR ONLINE over the weekend that his members continue to investigate the possibility that Xtra address books and email were downloaded for later use by the hackers. Telecom and Yahoo acknowlege the nature of the Yahoo mail server security breach meant it was possible this had taken place. But both say there is so far no evidence it happened. Mr Matthews asks if there's any evidence it didn't.
Passwords should have been cancelled a week ago - NetSafe
Martin Cocker, CEO of the part goverment-funded watchdog NetSafe, is also concerned.

"The purpose of changing passwords now is to stop hackers being able to access the email accounts. This should have be done immediately following the breach. A lot of damage can be done in a week," Mr Cocker told NBR ONLINE this morning.

"Telecom will be able to force the change of 75000 passwords and that will re-secure the Xtra email, but that certainly won't be the last act in this saga. The stolen information will continue to be used for spam and phishing attacks," Mr Cocker says.

"Some of those phishing emails and contacts might be targeted very accurately once the cyber criminals take the time to analyse the stolen data more accurately. This is especially so if the content of emails was stolen during the breach. Yahoo and Telecom appear unable to confirm this hasn't happened - so we need to assume it has in the meantime."

It should be noted that it is not only Xtra customers who will feel the ongoing repercussions of such a large data loss, Mr Cocker says.

"Many of those people targeted (or "spear phished") will be contacts of the affected users."

Wait times up to 90 minutes
Wait times on Telecom's help lines reached an hour an a half ovr the weekend, Ms Keith said. Ninety percent of customers had changed their password online, but the balance were hitting the phones - clogging the company's NZ and Manila call centres for all-comers.

Telecom has upped its call centre staff numbers by 50% this morning in an effort to get on top of the overloading.

It would also up numbers by 50% tomorrow.

"By then we should see the back end of this problem," Ms Keith said.

The GM reiterated that Telecom is reviewing its contract with Yahoo, which hosts its Xtra email out of Sydney.

ABOVE (click screenshot to enlarge): A graphic example of the Yahoo Xtra email hack, and the way a user's mail account can be hijacked without them going anywhere near their inbox (as opposed to foolishly clicking on a malicious link to compromise themselves - although that techique is being to spread the Yahoo vulnerability). An NBR reader received the above email from the Xtra address of one Neal Nicholls. Keen readers will know the former Capital & Merchant Finance director is currently a guest of her Majesty. And, no, prisoners are not allowed email or internet access.

Telecom ups Yahoo Xtra attack estimate from 20K to 80K

Feb 16: Telecom has upped the number of people it says have been directly affected by the Yahoo Xtra mail server security breach and phishing attack from 20,000 to 75,000 - and is proactively cancelling accounts.

The company has tonight begun cancelling the current passwords of around 60,000 Yahoo Xtra email accounts it believes to have been compromised by last weekend's "cyber attack" (and close followers of the debacle will note the company has moved away from simply calling it a "phishing" attack in its latest statement).

These additional 60,000 customers, on top of the existing 15,000 that Telecom has been contacting over the past few days, will now be required to enter new password information when logging into their email account (around 5000 from the first 20,000 affected immediately reset their password).

The move by Telecom is aimed at protecting its email customers and preventing information contained within their emails being accessed although to date there is no confirmed evidence, by Yahoo!, that this has occurred.

Telecom CEO Retail Chris Quin says 60,000 of the 450,000 Yahoo Xtra customers have changed their password since last weekend but updated details on compromised accounts means the best way to protect customers is to cancel the current passwords of these additional 60,000 accounts.

“We’re taking this matter very seriously,” says Mr Quin, “and urge those whose passwords have been cancelled to create new passwords. However, it’s advisable for all others that have not changed their password, to do so immediately both on their computer but also on mobile devices and tablets. We continue to be sorry for any distress caused or inconvenience this has caused and reinforce that in today’s online world regular password changes are an important need.”

Login in or Register to view & post comments